top of page

Professional Beauty Salon in Reading

01183 443 772 | info@skincenter.co.uk

Privacy Policy

The Skin Center Limited
49 London Street, Reading, England, RG1 4PS
Company Number: 08121566
VAT Number: 276540682
Telephone: 01183 443 772
Email: info@skincenter.co.uk

Last Updated: January 2026

1. Introduction

The Skin Center Limited ("we", "us", "our", "the Salon") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Privacy and Electronic Communications Regulations (PECR)

  • Consumer Rights Act 2015

Data Controller: The Skin Center Limited
ICO Registration Number: [PENDING - REGISTRATION REQUIRED]
Data Protection Contact: info@skincenter.co.uk

2. Information We Collect

2.1 Personal Information You Provide

When you book appointments or use our services, we collect:

Contact Details:

  • Full name

  • Email address

  • Telephone number (mobile and/or landline)

  • Postal address

  • Emergency contact details (where appropriate)

Booking and Account Information:

  • Appointment history

  • Treatment preferences

  • Service notes and records

  • Payment card details (securely stored by Vagaro)

  • Gift voucher and package purchase details

Health and Medical Information:

  • Medical conditions and history

  • Allergies and sensitivities

  • Current medications

  • Pregnancy status

  • Previous adverse reactions to treatments

  • Skin type and conditions

  • Contraindications to treatments

  • Consultation forms and health questionnaires

Marketing Preferences:

  • Consent to receive marketing communications

  • Communication channel preferences (email, SMS)

  • Areas of interest

2.2 Information We Collect Automatically

CCTV Footage:

  • We operate CCTV cameras in public areas of the salon for security and safety purposes

  • Footage is retained for up to 30 days

  • CCTV signage is clearly displayed

Website Usage Data:

  • When you visit our website, we may collect:

    • IP address

    • Browser type and version

    • Device information

    • Pages visited and time spent

    • Referring website

    • Click patterns and navigation paths

Cookies and Tracking Technologies:

  • Our website uses cookies and similar technologies

  • Google Analytics for website performance analysis

  • Marketing cookies (subject to your consent)

  • Session cookies for functionality

  • See Section 10 for detailed cookie information

2.3 Information from Third Parties

Vagaro Booking System:

  • Booking and payment information processed through Vagaro

  • Account information if you create a Vagaro customer account

Social Media:

  • If you interact with us on social media platforms, we may receive information from those platforms in accordance with their privacy policies

3. How We Use Your Information

3.1 Legal Basis for Processing

We process your personal data under the following legal bases:

Contract Performance - To provide services you have requested:

  • Processing bookings and appointments

  • Delivering treatments and services

  • Processing payments

  • Managing packages and gift vouchers

Legitimate Interests - For business operations:

  • Maintaining treatment records for continuity of care

  • Security monitoring via CCTV

  • Improving our services

  • Managing customer relationships

  • Preventing fraud and abuse

Legal Obligation - To comply with law:

  • Financial record-keeping and tax obligations

  • Health and safety requirements

  • Responding to legal requests

Consent - Where you have given permission:

  • Marketing communications (email and SMS)

  • Use of photographs for marketing purposes

  • Non-essential cookies

Vital Interests - In emergencies:

  • To protect your health and safety in emergency situations

3.2 Purposes of Processing

We use your personal information to:

Service Delivery:

  • Book and manage appointments

  • Provide beauty and skincare treatments

  • Maintain accurate treatment records

  • Ensure treatment safety and suitability

  • Provide aftercare advice

  • Process payments and refunds

Communication:

  • Send appointment confirmations and reminders

  • Respond to enquiries and requests

  • Handle complaints and feedback

  • Provide customer support

Marketing (with your consent):

  • Send promotional offers and special deals

  • Notify you of new treatments and services

  • Send newsletters and beauty tips

  • Invite you to events

Business Operations:

  • Maintain financial and accounting records

  • Monitor and improve service quality

  • Train staff

  • Prevent and detect fraud

  • Ensure security of premises via CCTV

  • Comply with legal and regulatory obligations

Analytics:

  • Understand customer preferences and behaviour

  • Improve our website and booking system

  • Analyse treatment popularity and trends

4. Sharing Your Information

4.1 Third-Party Service Providers

We share your information with trusted third parties who help us operate our business:

Vagaro, Inc. (USA) - Booking and payment processing

  • Purpose: Online booking system, appointment management, payment processing

  • Data shared: Contact details, booking information, payment card details

  • Location: United States (adequacy decision and Standard Contractual Clauses in place)

  • Privacy policy: www.vagaro.com/privacy

Xero (New Zealand/UK) - Accounting software

  • Purpose: Financial record-keeping, invoicing, VAT compliance

  • Data shared: Transaction information, contact details for invoicing

  • Location: New Zealand/UK servers

  • Privacy policy: www.xero.com/uk/legal/privacy

Wix.com (Israel/EU) - Website hosting and email marketing

  • Purpose: Website hosting, email marketing campaigns

  • Data shared: Contact details, marketing preferences

  • Location: EU servers (GDPR compliant)

  • Privacy policy: www.wix.com/about/privacy

Google LLC (USA) - Analytics

  • Purpose: Website analytics and performance monitoring

  • Data shared: Website usage data, anonymised where possible

  • Location: United States

  • Privacy policy: policies.google.com/privacy

INsync Insurance - Insurance provider

  • Purpose: Professional indemnity and liability claims

  • Data shared: Only in event of claim - relevant treatment records

  • Location: United Kingdom

4.2 Legal Requirements

We may disclose your information if required by law or to:

  • Comply with legal obligations or court orders

  • Protect our rights, property, or safety

  • Protect the rights, property, or safety of others

  • Prevent fraud or criminal activity

  • Respond to requests from regulatory authorities

4.3 Business Transfers

In the event of a sale, merger, or transfer of our business, your personal data may be transferred to the new owner, subject to the same privacy protections.

4.4 No Other Sharing

We do not:

  • Sell your personal data to third parties

  • Share your data for third-party marketing purposes

  • Transfer data outside the UK/EEA except as specified above with appropriate safeguards

5. Data Security

5.1 Security Measures

We implement appropriate technical and organisational measures to protect your personal data:

Physical Security:

  • Secure salon premises with restricted access

  • CCTV monitoring

  • Locked storage for paper records

Digital Security:

  • Password-protected systems and devices

  • Encrypted connections (SSL/TLS) for online transactions

  • Secure cloud storage with reputable providers

  • Regular software updates and security patches

  • Access controls limiting staff access to necessary data only

Organisational Security:

  • Staff training on data protection

  • Confidentiality agreements

  • Clear data handling procedures

  • Regular review of security measures

5.2 Payment Security

  • We do not store full payment card details on our systems

  • Card payments are processed through Vagaro's PCI DSS compliant payment gateway

  • Only tokenised card references are stored for future bookings (with your consent)

5.3 Data Breach Procedures

  • In the unlikely event of a data breach affecting your personal data, we will:

    • Assess the risk and severity

    • Notify the ICO within 72 hours if required

    • Notify affected individuals without undue delay if there is a high risk to your rights

    • Take immediate steps to contain and remedy the breach

6. Data Retention

6.1 How Long We Keep Your Data

⚠️ RETENTION POLICY UNDER REVIEW

We are currently implementing a comprehensive data retention policy to ensure full GDPR compliance. The following retention periods will apply:

Financial and Tax Records:

  • Minimum 7 years from end of financial year (HMRC requirement)

  • Includes invoices, payments, VAT records

Treatment Records:

  • Active clients: Retained for duration of relationship plus 7 years

  • Inactive clients: Reviewed after 3 years of no activity

  • Medical/health information: Retained in line with treatment records for safety and continuity of care

Marketing Data:

  • Retained while consent is active

  • Deleted within 30 days of consent withdrawal

  • Reviewed every 2 years to confirm ongoing consent

CCTV Footage:

  • 30 days, then automatically overwritten unless required for investigation

Website Analytics:

  • Anonymised data retained indefinitely

  • Personal identifiers removed after 26 months

Complaints and Legal Claims:

  • 7 years from resolution or as required by legal proceedings

6.2 Right to Erasure

  • You may request deletion of your personal data (see Section 8 - Your Rights)

  • We will comply unless we have a legal obligation to retain the data

  • Some data must be retained for tax, accounting, or legal purposes

7. International Transfers

7.1 Transfers Outside UK/EEA

Some of our service providers are located outside the United Kingdom and European Economic Area:

Vagaro, Inc. (United States):

  • EU-US Data Privacy Framework participation

  • Standard Contractual Clauses in place

  • Equivalent level of protection ensured

Google LLC (United States):

  • EU-US Data Privacy Framework participation

  • Standard Contractual Clauses

7.2 Safeguards

All international transfers are protected by:

  • Adequacy decisions (where applicable)

  • Standard Contractual Clauses (SCCs) approved by the UK ICO

  • Binding Corporate Rules

  • Explicit consent (where required)

8. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

8.1 Right of Access

  • You can request a copy of the personal data we hold about you

  • This is commonly known as a "Subject Access Request" (SAR)

  • We will respond within one month

  • First request is free; excessive or repeat requests may incur a reasonable fee

8.2 Right to Rectification

  • You can request correction of inaccurate or incomplete data

  • Please notify us of any changes to your contact details or medical information

8.3 Right to Erasure ("Right to be Forgotten")

  • You can request deletion of your personal data in certain circumstances:

    • Data no longer necessary for the original purpose

    • You withdraw consent (where consent was the legal basis)

    • You object to processing and there are no overriding legitimate grounds

    • Data processed unlawfully

  • This right is not absolute; we may need to retain data for legal obligations

8.4 Right to Restrict Processing

  • You can request restriction of processing in certain situations:

    • Contesting accuracy of data

    • Processing is unlawful but you don't want erasure

    • We no longer need the data but you need it for legal claims

    • You've objected to processing pending verification

8.5 Right to Data Portability

  • You can request your data in a structured, commonly used, machine-readable format

  • You can request direct transfer to another provider where technically feasible

  • Applies to data processed by automated means with your consent or for contract performance

8.6 Right to Object

  • You can object to processing based on legitimate interests

  • You can object to direct marketing at any time (we will stop immediately)

  • You can object to processing for research or statistical purposes

8.7 Rights Related to Automated Decision-Making

  • We do not use automated decision-making or profiling that produces legal or similarly significant effects

8.8 Right to Withdraw Consent

  • Where processing is based on consent, you can withdraw it at any time

  • This does not affect the lawfulness of processing before withdrawal

  • Easy unsubscribe options in all marketing communications

8.9 How to Exercise Your Rights

To exercise any of these rights, please contact us:

  • Email: info@skincenter.co.uk

  • Telephone: 01183 443 772

  • In writing: The Skin Center Limited, 49 London Street, Reading, RG1 4PS

We will respond within one month. In complex cases, we may extend this by two months and will notify you.

9. Marketing Communications

9.1 Consent

  • We will only send marketing communications if you have given consent

  • You can opt in or out at any time

  • We use Vagaro and Wix for email marketing campaigns

9.2 What We Send

  • Special offers and promotions

  • New treatment announcements

  • Beauty tips and advice

  • Seasonal campaigns

  • Event invitations

  • Newsletters

9.3 How to Opt Out

You can unsubscribe from marketing at any time by:

  • Clicking "unsubscribe" in any marketing email

  • Replying "STOP" to SMS messages

  • Contacting us directly (details in Section 8.9)

  • Updating your preferences in your Vagaro account

9.4 Transactional Communications

  • Appointment confirmations, reminders, and receipts are not marketing

  • You cannot opt out of these as they are essential to our service

  • They are sent based on contract performance, not consent

10. Cookies and Tracking

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide a better user experience.

10.2 Types of Cookies We Use

⚠️ COOKIE AUDIT IN PROGRESS

We are currently conducting a full audit of all cookies used on our website. The following information represents our current understanding:

Strictly Necessary Cookies:

  • Essential for website functionality

  • Cannot be disabled

  • Session management and security

  • No consent required

Performance/Analytics Cookies:

  • Google Analytics for website usage analysis

  • Help us understand how visitors use our site

  • Anonymised where possible

  • Require consent

Functionality Cookies:

  • Remember your preferences

  • Improve user experience

  • May require consent depending on type

Marketing/Advertising Cookies:

  • Track visits across websites

  • Build profile of interests

  • Deliver targeted advertising

  • Status under review - Facebook Pixel and other marketing pixels

  • Require explicit consent

10.3 Managing Cookies

You can control cookies through:

  • Cookie banner on first visit to our website (when implemented)

  • Browser settings - most browsers allow you to refuse or delete cookies

  • Google Analytics opt-out: tools.google.com/dlpage/gaoptout

Note: Disabling necessary cookies may affect website functionality.

10.4 Third-Party Cookies

Our website may contain links to third-party websites (e.g., social media). These sites have their own privacy policies and cookie practices, which we do not control.

11. CCTV and Surveillance

11.1 Why We Use CCTV

  • Security of premises, staff, and clients

  • Prevention and detection of crime

  • Health and safety monitoring

  • Investigation of incidents

11.2 CCTV Coverage

  • Public areas of the salon (reception, corridors)

  • Exterior of building

  • Not used in treatment rooms (privacy respected)

11.3 CCTV Data

  • Footage retained for up to 30 days

  • Automatically overwritten unless required for investigation

  • Access restricted to authorised staff

  • Shared with police only when legally required

11.4 CCTV Signage

  • Clear signage displayed at entry points

  • Signs indicate CCTV is in operation and who to contact

11.5 Your Rights

  • You can request access to CCTV footage showing you (Subject Access Request)

  • We will respond within one month

  • Identity verification required

12. Children's Privacy

12.1 Age Restrictions

  • Our services are primarily intended for individuals aged 16 and over

  • Individuals under 16 require parental or guardian consent for:

    • Booking appointments

    • Receiving treatments

    • Processing of personal data

12.2 Parental Consent

  • Parents/guardians must accompany minors under 16

  • Parents/guardians must provide consent for treatments

  • We may request proof of parental relationship

12.3 Data Protection for Minors

  • We take extra care when processing data of individuals under 18

  • Marketing communications not sent to under-16s without explicit parental consent

13. Changes to This Privacy Policy

13.1 Updates

  • We may update this Privacy Policy from time to time to reflect:

    • Changes in law or regulation

    • Changes to our business practices

    • New technologies or services

    • Feedback from regulatory authorities

13.2 Notification

  • Significant changes will be notified by:

    • Prominent notice on our website

    • Email to registered customers

    • In-salon notices

  • Continued use of our services after changes constitutes acceptance

13.3 Version Control

  • Last Updated: January 2026

  • Version: 1.0 (Pending ICO Registration and Full Cookie/Retention Policy Implementation)

14. Complaints and Concerns

14.1 Contact Us First

If you have concerns about how we handle your personal data, please contact us:

The Skin Center Limited
49 London Street
Reading
England
RG1 4PS

Email: info@skincenter.co.uk
Telephone: 01183 443 772

We will investigate and respond within 30 days.

14.2 Information Commissioner's Office (ICO)

If you remain dissatisfied, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: www.ico.org.uk
Report online: ico.org.uk/make-a-complaint

15. Contact Information

For any questions about this Privacy Policy or how we handle your personal data:

Data Controller:
The Skin Center Limited

Registered Address:
49 London Street
Reading
England
RG1 4PS

Contact Details:
Email: info@skincenter.co.uk
Telephone: 01183 443 772

Company Registration Number: 08121566
VAT Number: 276540682
ICO Registration Number: [PENDING CONFIRMATION]

IMPORTANT COMPLIANCE NOTICES

⚠️ CRITICAL - ICO REGISTRATION REQUIRED

The Skin Center Limited processes sensitive personal data (health information, payment details, CCTV) and MUST be registered with the Information Commissioner's Office (ICO).

Immediate action required:

  1. Check registration status at: ico.org.uk/ESDWebPages/Search

  2. If not registered, register immediately at: ico.org.uk/registration

  3. Annual fee: £40-60 depending on business size

  4. Failure to register is a criminal offence with fines up to £17.5 million or 4% of turnover

Once registered, add the ICO registration number to:

  • Section 1 of this Privacy Policy

  • Section 13.1 of Terms and Conditions

  • Footer of website

⚠️ DATA RETENTION POLICY - UNDER REVIEW

Current practice of indefinite data retention violates UK GDPR principles of storage limitation.

Required action:

  • Implement retention periods specified in Section 6.1

  • Set up automated review processes

  • Establish secure deletion procedures

  • Document retention decisions

  • Train staff on retention policy

⚠️ COOKIE POLICY - AUDIT REQUIRED

Full website cookie audit needed to identify:

  • All cookies currently in use

  • Facebook Pixel status

  • Other marketing/tracking pixels

  • Third-party cookies

Required action:

  • Conduct technical cookie audit

  • Implement cookie consent banner (if not already present)

  • Update Section 10 with complete cookie list

  • Ensure marketing cookies require explicit consent

  • Test cookie consent mechanism

⚠️ RECOMMENDED - COOKIE POLICY PAGE

Consider creating a separate, dedicated Cookie Policy page on your website for transparency and ease of access, with link from this Privacy Policy.

By using our services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein.

Document Status: Draft pending ICO registration confirmation and completion of cookie/retention policy audits.

bottom of page